Long one of the greatest concerns about wireless local-area networks, security remains a sticking point for many organizations thinking of going wireless and a preoccupation for those that have done so. But new technology is making wireless LANs more secure.
In a survey of 589 IT administrators
and company executives conducted by research firm In-Stat/MDR in August, concerns about security were the top reason respondents gave for not implementing wireless LANs, and the foremost concern cited by those who have gone wireless. In October, Meta Group, an IT research and consulting firm in Stamford, Conn., listed security as one of the top half-dozen issues IT organizations must address in implementing wireless LANs.
Fortunately, tools designed to address it are improving.
“”Security is still a very important issue and still something of a barrier to adoption,”” says Richard Webb, directing analyst for wireless LANs at Infonetics Research, Inc., in London. “”But it’s coming down the list of (buyers’) concerns.””
Early wireless LANs relied on the Wired Equivalent Privacy (WEP) protocol. It quickly became evident that WEP was not secure. The 40-bit encryption key commonly used for WEP is too short, most installations use the same key for every station on the network and statistical analysis can help break the code. Webb compares WEP to a “”No Trespassing”” sign — it makes sure people know they are not supposed to go there, but doesn’t stop determined trespassers.
As long as WEP was all there was, wise IT shops treated wireless networks as insecure and layered extra security onto them. Law firm Fraser Milner Casgrain LLP, for instance, implemented a wireless network in its Toronto office in 2003 that is actually a public hotspot, which visiting clients can use for Internet access.
Fraser Milner’s own staff can connect to the firm’s servers over the same network by using Citrix Systems Inc.’s MetaFrame, explains Dave Komaromi, the law firm’s IT managers. Komaromi said MetaFrame treats remote devices as terminals and transmits data in a form virtually impossible for an eavesdropper to decipher. “”We chose not to expose the internal infrastructure to wireless,”” Komaromi says.
Doctors who use the wireless network at Kingston General Hospital in Kingston, Ont., must have virtual private network (VPN) clients on their mobile devices, creating a secure tunnel through the network.
“”It can introduce a fair bit of overhead,”” admits Bob Schaefer, the hospital’s manager of telecommunications and distributed computing, but he would rather pay that price than take risks with sensitive medical data. The hospital treats its whole wireless network “”like the Internet,”” Schaefer says.
However, efforts to replace WEP with something better have now borne fruit.
Wireless networking vendors have begun implementing the new standards, and that means increased peace of mind for customers. “”Are they delivering increased security?”” asks Steve Rampado, senior manager of security services at consulting firm Deloitte & Touche LLP in Toronto. “”Absolutely.””
The first step was Wi-Fi Protected Access (WPA). It replaces WEP’s unsatisfactory encryption with a new algorithm called Temporal Key Integrity Protocol (TKIP) — with a constantly changing encryption key — and it improves user authentication by implementing a standard called 802.1X.
WPA without 802.1x can expose network to threats
The Wi-Fi Alliance began certifying devices that support WPA in spring 2003, and shortly afterward made support for the new specification a requirement for Wi-Fi certification. WPA “”seems to be what most major enterprises either have now or are moving toward,”” says Webb.
Nobody denies WPA is a big improvement over WEP. But it isn’t foolproof.
One particular weakness is that WPA can be used without 802.1x. Diana Kelley, executive security advisor at Computer Associates International Inc. in Islandia, N.Y., explains that there are two implementation options. One is the enterprise option, in which 802.1x sends a different encryption key to every device that signs on to the network. But because this adds overhead, there is also a shared-key option, in which all devices use the same key — just as they do in WEP. Kelley says even the shared-key version of WPA is more secure than WEP, but the full implementation using 802.1x is even better.
AES can make wireless more secure than wireline
But WPA is just an interim step. It is a subset of the 802.11i standard (also known as WPA2), ratified by the Institute of Electrical and Electronics Engineers (IEEE) in June. This new standard incorporates further improvements over WPA, and currently appears to be the security destination wireless networks should be moving toward.
Most importantly, 802.11i will incorporate a new encryption technique known as the Advanced Encryption Algorithm (AES), considered more secure than the encryption algorithm used in earlier standards. “”That’s something that really has resonance with IT managers,”” Webb says. “”They understand what AES is, and once you have that on a wireless network, you could begin to argue that your wireless LAN is more secure than your wired LAN.””
The bad news is that AES makes processing demands on network hardware that many existing devices can’t handle.
“”A lot of the equipment that we’ve already got out in the marketplace isn’t WPA2-ready,”” Kelley says. Mainly for that reason, she adds, “”a lot of companies that have done complex WPA deployments are rolling slowly to 802.11i.””
Kelley says many wireless users are sticking with plain WPA while they wait for older network gear to come due for replacement, making way for new equipment that can handle 802.11i.
“”I don’t think you’ll see it being implemented in traditional networks at first,”” says Tracy Fleming, national IP telephony practice leader at Avaya Canada in Toronto. However, Fleming says, 802.11i may see early adoption in networks designed for small handheld devices that aren’t well suited to other security provisions, such as VPNs.
Most organizations will probably implement 802.11i sooner or later, but even that shouldn’t be seen as a wireless security panacea. “”You’re not going to get the silver-bullet solution with any wireless network,”” Rampado warns. Depending on how sensitive the information being transmitted over a wireless LAN is, he advises taking extra precautions, such as using VPN technology.
Komaromi says Fraser Milner Casgrain will be looking at WPA and 802.11i this year, and expects to implement newer encryption standards soon. Doing so will let the firm add new wireless applications that aren’t practical using Citrix MetaFrame — such as voice over IP over the wireless LAN.
Rampado suggests a couple of other steps that can help make wireless LANs more secure. One is to change the default service set identifier (SSID) code of every access point, making it harder for would-be intruders to guess the code. He adds some equipment vendors provide the option of turning off SSID broadcasting. This means a user who knows the SSID can still connect to the device, but it doesn’t advertise its presence to anyone in the area with a wireless-ready device.
You could have a wireless lan and not even know it
Rampado adds that basic security precautions like firewalls are just as important in wireless networks as elsewhere, and that wireless users can take fundamental precautions, such as locating wireless access points so their range doesn’t extend beyond office walls more than necessary.
Whether companies officially have wireless networks or not, they still need to consider the risk of rogue access points installed by well-meaning users who don’t consider the security implications, Kelley says. She suggests IT departments monitor from the wired network side and from the wireless side — by scanning for wireless connections — to spot these.
Webb adds that one good way to combat rogue access points is to install officially sanctioned, properly secured wireless networks. Once that’s done, he says, there’s no need for workers to install access points purchased from retail electronics stores.
Any organization with mobile workers should also consider the security implications of its road warriors using public hotspots for access to the Internet and to corporate applications. Rampado advises companies to use VPNs whenever they need to provide remote access, through wireless hotspots or other connections, to corporate systems.
And he suggests mobile workers spend as little time connected to hotspots as is practical. “”Connect, download your e-mail, disconnect,”” he advises. New technology notwithstanding, it still pays to be careful.